Silicon Shecky

Infosec Practitioner

Connect

Deck the Halls with Security advice

By Leave a Comment

It is that time of year. Holiday shopping, Black Friday, Cyber Monday (that still sounds like a XXX movie), and the like. Special offers abound, and the bad guys are ready to get you. Some simple steps to stay safer during the holidays.

This is the time of year that the criminal digital underground loves. People rushing to get the best deals they can, be it online or offline. The odds of someone clicking on a malicious link, increases with desperation, and of course making the deals looks good. Nothing will 100% guarantee that your going to be free of malware, or that your identity will not be swiped, but there are some simple things to remember to keep the risks at more of a minimum.

1) If it looks to be too good of a deal, it probably is, especially online. Deals are the easiest thing to snag someone online with. Pair that with fake URLs that look legit, and you have a recipe for disaster. The trick here is to find out what the real URL is. In Outlook and most browsers out can hover over links to see what they are sending you to. Doing a right click and copy hyperlink then pasting into notepad is a good way to see the full link itself for a quick check. If it shows something that bothers you, don’t go to it, don’t click on it.

2) Keep up to date with your purchases. This is easy enough to do with online banking. Check at minimum once a week online with your bank and credit card companies. Look for anything out of the ordinary. the faster you see something that looks fraudulent the faster things can be taken care of, and the less hassle there is overall.

3) Single Click on the web! I see this all too often. We as a society have gotten so use to double clicking to open programs that we forget it is a single click on a link. This is important because that second click could hit a hijacked ad on the site you were going to and at that point it is game over. You are pwnd and let the malware flood gates open.

4) Backup Backup Backup. Get an external drive that you only connect to backup your files, Use Mozy or Carbonite, do something to backup your files. Especially with Cryptolocker out there, the clean backup is important so you don’t have to pay to recover your files and take the risk that the bad guys are not going to keep their end of the bargain.

5) If you do not have to enter your pin on a pad, DON’T! Most bank cards can be used as “Credit Cards” (They have the Mastercard or Visa logo on them) meaning you do not have to punch in your security pin. Who knows if that pin pad is secure. Yes it only stops the pin from being gotten but that can be enough to stop someone from emptying your account.

Yes, these are basics, and yes milli0ns of people each year tend to not think about them. They are simple and pretty effective, but remember not perfect. If someone hacks the store or bank, you have no control over that. If the credit card or ATM machine has been tampered with, you don’t have control over that. Just do what you can to keep a little safer, and have a great holiday season!

 

-Shecky

 

Google.. what are you doing?

By Leave a Comment

Google’s Bradley Horowitz recently announced that Google+ will be accepting Nicknames and Pseudonyms. Considering other changes, is Google+ drowning?

People from day one have been asking for anonymity on Google+ and now Google has a few ways to hide your real name from the world. At least that is how it seems. With the announcement a couple of friends tried setting up nicknames. And while they could add them into their profile, they couldn’t change the name that people saw. Hopefully that portion just hasn’t rolled out yet.

The Pseudonym Policy on the other hand will require some verification. The methods could be rather arbitrary as they say the will require either real world or online verification of some sort. The arbitrary nature of the verification process is where I see problems coming in. The other question is what should be a nickname and what a Pseudonym?

Finally, Google is forcing people to sign up for Google+ when they get any of Google’s services. While we all know that this is a sure fire way to artificially increase the numbers for Google+, there is another problem with this. The naming policy, unless you get an approved pseudonym, requires real information such as your full name. This limits the usefulness of Gmail as an anonymous e-mail account. Not only that, but it could drive people to picking up Yahoo or Hotmail accounts again. Forcing people to sign up for a service they don’t want and will not use is a bad business decision on any company’s part. It really makes you wonder if Google+ is drowning in its own hype.

Right now I am taking a wait and see approach. I have a Google+ account already, and I do have a Google+ page set up for SiliconShecky, which eventually I will find a tool that will post my articles to Google+ like I post to twitter automatically. Also check out this article from Ars Technica for more information.

SOPA/PIPA: What Happens Now?

By Leave a Comment

This week there was protesting going on about SOPA and PIPA. The real question is, what happens now?

Congressmen are removing their support. the people who introduced the bills are removing the DNS blocking provisions. What more needs to happen is the question that they will ask.

First, lets start with this, a politicians promise is like a prostitute’s kiss. It is slimy and is not something you can believe. The fact that non of the congressmen who have backpedaled have given any clue as to what they now find objectionable outside of their constituents not liking the bill, is a worrisome sign. One that shows that they don’t really want to back off, and they are putting on a face until the fervor dies down. This is why we need to press the advantage right now to get these bills changed.

Karl W. Palachuk rightly claims in a Facebook post that 99% of the people who signed the petitions don’t know much about the bill. He though, like a lot of the people for the bills, try to make it about infringing versus not infringing. That is not the real problem. People like him who say that not supporting SOPA/PIPA is akin to being a pirate yourself are short sighted and wrong. The real issues are Cybersecurity, letting the foxes (RIAA/MPAA) guard the hen house, and no oversight. The Censorship angel is being used as a way to disguise these other issues that have been brought up.

For instance, there is a provision in SOPA that “bars the distribution of tools and services designed to get around such blacklists.” This is dangerous because sites such as Tor, which is used by people in places such as China and Iran to get around their firewalls, could create problems for VPNs, which could be used by people who work for multinational companies to get around the blacklists, and encryption which would prevent people from seeing what you are requesting on the net. Heck, to bypass some of the blocking/filtering, you could just modify your hosts file. Does that make every operating system illegal under SOPA?

Also think about this. The punishments in SOPA do not fit the crimes. Overbearing on the fines front, making these crimes a felony and setting jail times longer than those who beat up their wives or kids is just not right.

Now to further the argument, there is the Megaupload takedown which happened yesterday. this 2 year investigation with international cooperation sets a standard for taking down sites that are helping pirate stuff knowingly. Yes they have servers on American soil, but they are a multinational company, and Kim Dotcom was arrested in New Zealand. That right there shows that the DCMA combined with current law can take down pirates.

Yes Piracy is a problem. Then again its always been a problem. Should we shut down libraries because people might not (and do not) return books thereby getting them for free. Heck they read them for free through the library. You can get movies, music all of it for free from a library. Why not shut them down? The point being that no matter what, there will be it. I have yet to see confirmable numbers on what it actually is doing to the entertainment industry, but with the amounts of money the execs get pain in bonuses, it really can’t be hurting them too much.

You can go to sites like ArsTechnica.com and find a wealth of information about SOPA and PIPA, what they could do with the laws, extreme examples such as I have posted, and more. There is a wealth of good information out there, and people do need to actually take time to make educated decisions about these sorts of laws.

Finally, think about this. How often do the worst case scenarios come true? Look to the past, see what controversial laws have been enacted without oversight, and how they have been abused over the years. See what groups like the RIAA and MPAA have done in playing the role of Chicken Little (Cassette Tapes, VCRs etc..) over the years, and how they have been proven wrong. We have to decide at some point our own future and not let it get silently dictated to us by a bunch of corporate goons.